Mercurial > code > home > repos > pomerium

#!/usr/bin/python3

import json
import subprocess
import sys
import time


def getSuffixedName() -> str:
    ns = 'pomerium'
    j = json.loads(subprocess.check_output(["kubectl", "get", "-n", ns, "secret", "-o", "json"]).decode('utf8'))
    for item in j['items']:
        name = item['metadata']['name']
        if name.startswith('pomerium-proxy-tls-'):
            return ns + '/' + name
    raise ValueError()


config = {
    'apiVersion': "ingress.pomerium.io/v1",
    'kind': "Pomerium",
    'metadata': {
        'name': "global"
    },
    'spec': {
        'secrets': "pomerium/bootstrap",
        'authenticate': {
            'url': "https://authenticate.bigasterisk.com"
        },
        'cookie': {
            'expire': "20h"
        },
        'identityProvider': {
            'provider': "oidc",
            'url': "https://accounts.google.com",
            'scopes': [
                "openid",
                "email",
                "profile"  # adds name+locale to user details
            ],
            'secret': "pomerium/idp"
        },
        'storage': {
            'postgres': {
                'secret': "pomerium/postgres-connection-key"
            }
        },
    }
}

# Old note: pom won't start up if this cert doesn't exist, so you have to run once
# with it commented out, then after cert success, run again with it enabled.

sys.stderr.write("wait for secret: ")
for tries in range(100):
    try:
        config['spec']['certificates'] = [
            #getSuffixedName()
            'pomerium/pomerium-proxy-tls'
            ]
    except ValueError:
        sys.stderr.write('.')
        sys.stderr.flush()
        time.sleep(10)
    else:
        break
else:
    raise ValueError

sys.stderr.write('\n')

print(json.dumps(config))
author	drewp@bigasterisk.com
date	Thu, 08 Jun 2023 11:27:18 -0700
parents	b53ab97e8979
children	0f6176ce0b46